One static, 1 dynamic address ...

oldlock

This question has been asked many times, but I have yet to see a concise and clear answer to it. Here is the situation.

In Australia publicly route-able IP addresses for LTE services are :

1 - Hard to get
2 - Expensive
3 - Add a LOT to latency as all traffic that uses them is routed via 1 exchange in Sydney irrespective of where you are in the country.

So, for my site to site IPSEC VPN I have :

Fixed IP for fibre connection into main office (SG3100 server lives here)
10 LTE routers at remote sites, each with a dynamic, non-routable IP. So these clients need to be able to connect to the server. I'm 100% happy for the server to act as a responder only. I've done this before with cisco ASA etc so I know the LTE side is capable of it. I assume there must be a way for the pfsense to do the same thing ??

Anyone have any insights. Please note the condition - DYNDNS at the LTE client cannot be part of the solution .

oldlock

OK. For anyones interest this does work.

1 - Turn off automatic firewall creation on the pfsense.
2 - Set the wan address in phase 1 to 0.0.0.0
3 - In phase 1 advanced select responder only.
4 - Create any/any firewall rule in IPSEC rules.
5 - Create UDP/500, UDP4500 and ESP all rules.

And we have sucess, thanks in no small part to some very patient support staff.